Compliance with e-mail retention law is not easy. Email in an enterprise like a municipal government is voluminous. And at city hall failure to keep required electronic mail records can look like a scandal, where it appears officials are trying to cover-up the truth about something important.
Hence, the City of Boston has hired a forensic specialist to attempt to recover the destroyed e-mails of an aide to the mayor. As part of the specialist's investigation, he or she might look on PC hard drives and in network backup tapes to locate erased records.
Forensic retrieval of email is costly. The expense of forensics quickly exceeds whatever the city might have been saving by not implementing a comprehensive email archival system in the first place. Had the city foreseen it would eventually be forced to restore deleted e-mails, it would have readily seen the need for good archival as a matter of good IT management.
The city did have an archival program, but it only pertained to emails that had resided in a user’s inbox for more than 90 days. In other words, the program gave decision-making responsibility to users. If users decided to delete records before 90 days, then the records would not be archived. Among the problems with giving users such decision power is that users are rarely qualified (and rarely have the time) to exercise the required judgment. Further, a user has a conflict of interest. If a record reflects negatively on the user, she naturally prefers to destroy it.
Generally speaking, the Massachusetts state record retention schedules applicable to city government require that email correspondence of “no informational or evidential value” be retained a minimum of two years.
But just instituting a policy that all e-mail be kept two years does not solve all of the city’s record retention problem. Many e-mails must be retained for various longer periods, depending on content. To examine email content and determine that this record needs X retention period and that record needs Y retention period is very, very difficult in practice. In fact, I am skeptical that such one-by-one examination can be done effectively in government across many users over an extended period of time. (If you dear reader know of any case study showing it can be done, I cordially invite you to point me to that study!)
Under the auspices of Messaging Architects, I led a workshop on this topic with the stakeholders (IT, HR, legal department et al) in Jackson County, Oregon, February 2009. The conclusion was that the county government would archive all e-mail (spam excluded) more or less indefinitely.
–Benjamin Wright, Senior SANS Instructor for e-Discovery and e-Record Retention Law